dcrat | 6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe
Size

1.3MB
MD5

e3ec6634bbf187f306a23f8c65ff55a4
SHA1

db91c521d2fe223940b920b758a17ef798783827
SHA256

6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb
SHA512

03f9d284687989ecd21f871f4970c7d0b38cf4679d077aa632aaa332020ebcb1343e9bb8979ee5da3ee3d1becc5c1918187819df2683323b7ea71a4f987c01dc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2620	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001662e-12.dat	dcrat
behavioral1/memory/2708-13-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/624-58-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/2560-119-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/1676-416-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2488-477-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/1972-596-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2888	powershell.exe
2316	powershell.exe
2772	powershell.exe
2648	powershell.exe
2232	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2708	DllCommonsvc.exe
624	Idle.exe
2292	Idle.exe
2560	Idle.exe
908	Idle.exe
1864	Idle.exe
2372	Idle.exe
2280	Idle.exe
1676	Idle.exe
2488	Idle.exe
652	Idle.exe
1972	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2068	cmd.exe
2068	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe
1804	schtasks.exe
2940	schtasks.exe
2932	schtasks.exe
1924	schtasks.exe
2192	schtasks.exe
2728	schtasks.exe
2584	schtasks.exe
3016	schtasks.exe
2016	schtasks.exe
2868	schtasks.exe
1568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
2232	powershell.exe
2316	powershell.exe
2772	powershell.exe
2648	powershell.exe
2888	powershell.exe
624	Idle.exe
2560	Idle.exe
908	Idle.exe
1864	Idle.exe
2372	Idle.exe
2280	Idle.exe
1676	Idle.exe
2488	Idle.exe
652	Idle.exe
1972	Idle.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	DllCommonsvc.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	624	Idle.exe
Token: SeDebugPrivilege	2560	Idle.exe
Token: SeDebugPrivilege	908	Idle.exe
Token: SeDebugPrivilege	1864	Idle.exe
Token: SeDebugPrivilege	2372	Idle.exe
Token: SeDebugPrivilege	2280	Idle.exe
Token: SeDebugPrivilege	1676	Idle.exe
Token: SeDebugPrivilege	2488	Idle.exe
Token: SeDebugPrivilege	652	Idle.exe
Token: SeDebugPrivilege	1972	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2804	880	JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe	30
PID 880 wrote to memory of 2804	880	JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe	30
PID 880 wrote to memory of 2804	880	JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe	30
PID 880 wrote to memory of 2804	880	JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe	30
PID 2804 wrote to memory of 2068	2804	WScript.exe	31
PID 2804 wrote to memory of 2068	2804	WScript.exe	31
PID 2804 wrote to memory of 2068	2804	WScript.exe	31
PID 2804 wrote to memory of 2068	2804	WScript.exe	31
PID 2068 wrote to memory of 2708	2068	cmd.exe	33
PID 2068 wrote to memory of 2708	2068	cmd.exe	33
PID 2068 wrote to memory of 2708	2068	cmd.exe	33
PID 2068 wrote to memory of 2708	2068	cmd.exe	33
PID 2708 wrote to memory of 2888	2708	DllCommonsvc.exe	47
PID 2708 wrote to memory of 2888	2708	DllCommonsvc.exe	47
PID 2708 wrote to memory of 2888	2708	DllCommonsvc.exe	47
PID 2708 wrote to memory of 2232	2708	DllCommonsvc.exe	48
PID 2708 wrote to memory of 2232	2708	DllCommonsvc.exe	48
PID 2708 wrote to memory of 2232	2708	DllCommonsvc.exe	48
PID 2708 wrote to memory of 2316	2708	DllCommonsvc.exe	49
PID 2708 wrote to memory of 2316	2708	DllCommonsvc.exe	49
PID 2708 wrote to memory of 2316	2708	DllCommonsvc.exe	49
PID 2708 wrote to memory of 2648	2708	DllCommonsvc.exe	50
PID 2708 wrote to memory of 2648	2708	DllCommonsvc.exe	50
PID 2708 wrote to memory of 2648	2708	DllCommonsvc.exe	50
PID 2708 wrote to memory of 2772	2708	DllCommonsvc.exe	52
PID 2708 wrote to memory of 2772	2708	DllCommonsvc.exe	52
PID 2708 wrote to memory of 2772	2708	DllCommonsvc.exe	52
PID 2708 wrote to memory of 624	2708	DllCommonsvc.exe	57
PID 2708 wrote to memory of 624	2708	DllCommonsvc.exe	57
PID 2708 wrote to memory of 624	2708	DllCommonsvc.exe	57
PID 624 wrote to memory of 1204	624	Idle.exe	58
PID 624 wrote to memory of 1204	624	Idle.exe	58
PID 624 wrote to memory of 1204	624	Idle.exe	58
PID 1204 wrote to memory of 764	1204	cmd.exe	60
PID 1204 wrote to memory of 764	1204	cmd.exe	60
PID 1204 wrote to memory of 764	1204	cmd.exe	60
PID 1204 wrote to memory of 2292	1204	cmd.exe	61
PID 1204 wrote to memory of 2292	1204	cmd.exe	61
PID 1204 wrote to memory of 2292	1204	cmd.exe	61
PID 2836 wrote to memory of 2804	2836	cmd.exe	64
PID 2836 wrote to memory of 2804	2836	cmd.exe	64
PID 2836 wrote to memory of 2804	2836	cmd.exe	64
PID 2836 wrote to memory of 2560	2836	cmd.exe	65
PID 2836 wrote to memory of 2560	2836	cmd.exe	65
PID 2836 wrote to memory of 2560	2836	cmd.exe	65
PID 2560 wrote to memory of 1568	2560	Idle.exe	66
PID 2560 wrote to memory of 1568	2560	Idle.exe	66
PID 2560 wrote to memory of 1568	2560	Idle.exe	66
PID 1568 wrote to memory of 2684	1568	cmd.exe	68
PID 1568 wrote to memory of 2684	1568	cmd.exe	68
PID 1568 wrote to memory of 2684	1568	cmd.exe	68
PID 1568 wrote to memory of 908	1568	cmd.exe	69
PID 1568 wrote to memory of 908	1568	cmd.exe	69
PID 1568 wrote to memory of 908	1568	cmd.exe	69
PID 908 wrote to memory of 1536	908	Idle.exe	70
PID 908 wrote to memory of 1536	908	Idle.exe	70
PID 908 wrote to memory of 1536	908	Idle.exe	70
PID 1536 wrote to memory of 1860	1536	cmd.exe	72
PID 1536 wrote to memory of 1860	1536	cmd.exe	72
PID 1536 wrote to memory of 1860	1536	cmd.exe	72
PID 1536 wrote to memory of 1864	1536	cmd.exe	73
PID 1536 wrote to memory of 1864	1536	cmd.exe	73
PID 1536 wrote to memory of 1864	1536	cmd.exe	73
PID 1864 wrote to memory of 2552	1864	Idle.exe	74

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6d45c064b77103d7b24556c9f05d2d9605163080859a3d07383b29d5e0f3dafb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:764
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2804
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2684
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1860
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        14⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1584
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
        16⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2756
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        18⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2972
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        20⤵
        
        PID:1204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2760
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat"
        22⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1732
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
        24⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:568
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d2e13acb5be385e56576d71749873ce

SHA1
52c17e5d5f0e625eace41f29c2b420d677fe14c5

SHA256
623d70fbc06e0874027c871869355cf39f6fcacb27faf3c731676af66ac2198e

SHA512
d834e1f60b338cd68f0fd8c423ead5647ecdb1f8ce8c35d8b77e041948cbdc4207ff3192e3a95b01e023c187b3c552abea791042dd2e0e2948eecabef20b2940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c0300bec169519d778955822b152da0

SHA1
4e93441379c1152547ae6a8305823e8b17084fad

SHA256
eb6c72b8d925b3e31fc75aafedfc605cea74a9afe29b298c6358dd0d84c22455

SHA512
40dedbc343dae2825bbc4a4bc7b1da400ee86e5c5c97f1a24e88467c0565a605b013bbdfacfec2c0e1bde580f8afa460cb4e9b66ffad613e95993907988a4583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54d048a224d2f2a69886babdaa42e83f

SHA1
f1033d16ce63e786b678f089d7950604bce6b72c

SHA256
6570553739194786a2b53305c68da653a6979040886efe551ed41d205cbd4cc7

SHA512
c0274b16182b819d2d838674a7a7d8787ecbc30a6408c4521f168596df2b69584a10edb4a6bfa3dc2536bf5b0edf36ce068b1de8348e6e504484a3b4beeda024

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79cecbf330ea2100753603acbae9501b

SHA1
0ce41cdd24fbc999028f5190f57e0f62b68012d5

SHA256
0332b53b9b730efef9aa08390b13a9c7bb580a04d8c2d1534dfce07d7cb0dbe8

SHA512
d4fa10595329d36ec8fddf315a0fc01bde3cbca27cdab7c05a23bd1f50ca6b4cb857903732d448a9e7c1b596077f99f2e46fb2c9aba67e8b0780d9bd1778d1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dcc77c16a727171f0840e076e524e02

SHA1
0d0d590939f0081260d66a599b1144671302436e

SHA256
2ae2ac4a51af52ce767c60834a292676bd652cfcaffa9bbdc35744a259600ba5

SHA512
9ebd4613e24b003e3cf8773ca9060ca2e99b4d3700a3688e69d84f8707dcbb9209a337540cb36033ae61dd5f472cab17e51a44fd43fdb3a17cb966f8b2278030

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc89f0faf12fc3819504e188464252d8

SHA1
6094fd2111283529cc2a168b1f88e4be230b3b1d

SHA256
0e07630948134b1efd5465f75335d15af66e0e504c698ded155b01ceeb183f38

SHA512
ca24c82bbc2d235f4c9ffc8d017d799fdf158a938dad56749dcd81e4eda3c4b8a172cca201e60527a9fd65be218adc7ccfe06cf4a5dc4209f29ea15272785b21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ab76d3845e70c6a281f2c8ef022dc54

SHA1
229405784cc9017b21730dd3e96781ae9143625c

SHA256
69b2b0b086fec41fb9b06a9a774291b5797df467e35fd8c9d51a70300c33c7b1

SHA512
deed243afcb30264cb8b9e5295c9ad3ad4d914bf0a62619675ef0c5a117dc755f6e591e9d1531bc1f77e5acc7764725ccd83cda0907235bcf76d991bdf7ee272

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df02a1ad8f0b58d86f9a84bdee475bbe

SHA1
2b315a31224d606f1f041e2a9279603c24524c2e

SHA256
77a72f86bf37b5d70a87237ccbbf3dd07c9f1e7f69211dd79e06c896def87c20

SHA512
1cafef871bc74a133fe7bd8b3ec54b0af120e09605b9f1c0c2f99999e294fdf55b77999e3a82d0f22b8aff4e1c89e36a241c71814cfe14109eb4fc8b0f7aeaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
191B

MD5
0c42ca69564cfdc75b31f238215f7986

SHA1
3e506603a2dbbbe057889ed25f25078ef59a9cbb

SHA256
a6f75818b71198067cc96d8cab489fce20a682e8555102cad1bccfec02fb7217

SHA512
d6026e94638009ce7ffc1f6a26fd6eed13280e5e8f09994e0d9249a381a4d94afaa62d5164b20f19ef3ae3fca805bda3e56b2784a03848abfb50f89118dcf53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
191B

MD5
c1fbd7ce105dc86d2dcf7f4ccb776459

SHA1
758f8e37f337ab7f839733a23ef8ae912ecde397

SHA256
ca8f24abcc17b800a910bc9fcbc0a1e86959cd14918e91da406541c0a140de33

SHA512
b1a8bffb4cf3cab34c25b74d8c27e563eaa473b250214d60b71fe25f52c311b783f13b0cdb1f43161e733da482970f530cedecc50394fb112aa9a6397d8e1b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9243.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9256.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMOyPGkKXB.bat

Filesize
191B

MD5
2212a91d2c2aa68ce6105d5e293a0a0a

SHA1
842fe7f1af2ca2ffa1203911586e438933665791

SHA256
bc79acc7d77a1c626ddc896a69c3a2aebcd7e9a73bfcbbbf6643a9e01f7c145b

SHA512
8aad974a3bc75a1322778b3b47d79b5dc63123ad9e690cfa0b8169c82f3828c5257d76ecb53025a42ae11275bed3bbc9e27a2a4278cada6c46d53a0b207b61b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
191B

MD5
8ad7ab001c43e012f5f61df5704b956a

SHA1
c9af41fc0afcb40dbc873b039236c46bbbbf3bb5

SHA256
6e0c0c0984a19ffb35ccf55643028206ab9fb4dc4712abbbb3a31b4ff03fc8f8

SHA512
4b8ffb4d27f94188d5386a67a7e2000a8464a453d367a172cc09aaa436259ea5164db6dd3fcb45ad11a399cc7158eb4cdef6a9d5b594b43fdee6bd4f5b5fd34e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

Filesize
191B

MD5
88755898631b2128d27e39e6ba727231

SHA1
60e16f5ee95b2f3d1f2c4ac433b5d94d1a9f0534

SHA256
7554a26b5ea8c59d9a0905f965d0735282b679e495bb90b7d5b3bdfc8eb2d922

SHA512
6b6845709b9b789428845128354000c71fac75f420655457a8a3983e54631ed19d3ec87babb7dfdac49183039e9a195809447a96aec202eaa53cc741e8fa2633

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat

Filesize
191B

MD5
502ccce986f606363c32dbaea3072a5f

SHA1
ef59079f1416887e686dfe44347e7f9dd89a62a3

SHA256
d7899276b0e00de4dd1ac79c611a1e3cc25974c229ee9d786c40fb4be6fbd349

SHA512
80cc21c71690463c1ac587a0070a29896bcc342c73e579e4a2d854630201e3aa69c45229dc08e50e98bb58532f3f24ab73052f6374f4f9d0411140b899d945ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
191B

MD5
6f40b2361b4b2391e924c4d042ed6381

SHA1
af495125bfbd1c94a752ca250879eb50fedbdff1

SHA256
dd24f89dea68bded8d2f0e6d213590091d5614129f0d7a6ef4ad7e356d4b5ca3

SHA512
a6166edcb7513e9d204118fa0b21f28d857910b21473186721b8706cb05c17d5a13c34b2fd7d913c8654a3684d169eed9d5b1f17681098ede08de9d4f707db37

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

Filesize
191B

MD5
edec79826568716faaa6791a29d0e6ab

SHA1
34d0f9981a2d6eee5b7bcfe4e4a1520f2434e3a2

SHA256
d818cd58fa50e561ec92cd910fc6731086411008ec61433d97fcaf0d20a5ec56

SHA512
c38b66473f4bf4f1e0d8f2d09640753388c8bf5f9eea594d2ba24bc9584de7978c9c549e24819b84cb90f658d0e7ad17c5a6e06c0586644ff0c8099906c35a77

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R1DKN6NO124U9QXUMX06.temp

Filesize
7KB

MD5
933d93da6ba9e400902110fc6d0c0680

SHA1
a4dfab824f715a15bef1b97ab313ed192679c46a

SHA256
d40fb97f5fb93534c8ac3398a5d4b1ca15199f9249d755163bd38351a8aec4c2

SHA512
3901f290daaf3c1d46f8791d67f56eb51906ff68ec7fcd3b05fcdbee594efcb36b1c94ef73d50df02540504faf3a57bc4b7a81457ef0dbbc6def8cbb5d8f3cd8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/624-59-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/624-58-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/1676-416-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/1676-417-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1972-596-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2232-37-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2232-36-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2372-297-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2488-477-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2560-119-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2708-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2708-16-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2708-15-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2708-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2708-13-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download